Thanks. As with the python yubico-authenticator, that's kind of useful because it shows the commands to use. However, there are a bunch of things missing from it — like locking with SCardBeginTransaction() when we need to talk to the card, and reselecting the ykneo-oath applet because OpenSC might have been talking to the PIV applet when we come back for a new tokencode. Currently, yubico-authenticator breaks when that happens.
It would be *so* useful if there was a simple library I could use to handle this for me, using something reminiscent of PKCS#11 URIs. So I just have a function which can give me a tokencode for
file://home/dwmw2/foo.pskc (updating the counter in the file as appropriate if it's a HOTP token, with file locking done consistently too). Or for
yubikey://cardident/objectname for yubikey, for example, without individual applications having to have hardware-specific details.
And while I think of it, wouldn't it be useful if RFC6030 defined a way for a PSKC file to refer to a token's secret key by means of a PKCS#11 URI?
And my hypothetical library (which is actually what oath-toolkit *ought* to provide instead of just the disjoint libpskc and liboath libraries) would Just Work™ with tokens in that form too.
Anyway, I now have OpenConnect authenticating automatically to VPN servers using HOTP/TOTP tokens from a Yubikey NEO (as well as SSL private keys stored therein). There's a little more cleanup to be done, but I've pushed it to
http://git.infradead.org/users/dwmw2/op ... ff/c24046bIt's the first time I've ever looked at PC/SC code so I don't claim there's anything particularly competent about it, but if you want to use any of it as the basis for a C library that at *least* supports Yubikey (rather than embarking on the grand plan outlined above), you're welcome to it under LGPLv2 or later.
Login
FAQ
Search
